From 9de10f6ebffb3620ec80c31b0e9f02a2c9143aaa Mon Sep 17 00:00:00 2001 From: Jan Kalina Date: Wed, 1 Mar 2017 16:10:02 +0100 Subject: [PATCH] Revert "AuthenticationElytronTestCase - EJB/remoting tests with Elytron" This reverts commit 2c2ec4c709d9df35700d8c8a5180367cab7e1728. --- .../AbstractAuthenticationTestCase.java | 485 ------------------ .../AuthenticationElytronTestCase.java | 33 -- .../ejb/security/AuthenticationTestCase.java | 476 ++++++++++++++++- .../ejb/security/EjbElytronDomainSetup.java | 239 --------- .../integration/ejb/security/users.properties | 1 - 5 files changed, 474 insertions(+), 760 deletions(-) delete mode 100644 testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AbstractAuthenticationTestCase.java delete mode 100644 testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationElytronTestCase.java delete mode 100644 testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/EjbElytronDomainSetup.java diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AbstractAuthenticationTestCase.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AbstractAuthenticationTestCase.java deleted file mode 100644 index 157eb4184a4c..000000000000 --- a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AbstractAuthenticationTestCase.java +++ /dev/null @@ -1,485 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright (c) 2011, Red Hat, Inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. - * - * This is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this software; if not, write to the Free - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. - */ -package org.jboss.as.test.integration.ejb.security; - -import static java.util.concurrent.TimeUnit.SECONDS; -import static org.jboss.as.test.shared.integration.ejb.security.PermissionUtils.createPermissionsXmlAsset; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.net.HttpURLConnection; -import java.net.SocketPermission; -import java.net.URL; -import java.security.Principal; -import java.util.PropertyPermission; -import java.util.concurrent.Callable; -import java.util.concurrent.ExecutionException; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.Executors; -import java.util.concurrent.Future; -import java.util.concurrent.TimeUnit; -import java.util.concurrent.TimeoutException; -import javax.ejb.EJB; -import javax.ejb.EJBAccessException; -import javax.security.auth.AuthPermission; -import javax.security.auth.login.LoginContext; - -import org.jboss.as.test.categories.CommonCriteria; -import org.jboss.as.test.integration.ejb.security.authentication.EntryBean; -import org.jboss.as.test.integration.ejb.security.base.WhoAmIBean; -import org.jboss.as.test.integration.security.common.AbstractSecurityDomainSetup; -import org.jboss.as.test.shared.TestSuiteEnvironment; -import org.jboss.as.test.shared.integration.ejb.security.Util; -import org.jboss.as.test.shared.util.AssumeTestGroupUtil; -import org.jboss.security.client.SecurityClient; -import org.jboss.security.client.SecurityClientFactory; -import org.jboss.shrinkwrap.api.ShrinkWrap; -import org.jboss.shrinkwrap.api.asset.StringAsset; -import org.jboss.shrinkwrap.api.spec.WebArchive; -import org.junit.BeforeClass; -import org.junit.Test; - -/** - * Test case to hold the authentication scenarios, these range from calling a servlet which calls a bean to calling a bean which - * calls another bean to calling a bean which re-authenticated before calling another bean. - * - * @author Carlo de Wolf - * @author Darran Lofthouse - */ -public abstract class AbstractAuthenticationTestCase { - - private static final String SERVER_HOST_PORT = TestSuiteEnvironment.getServerAddress() + ":" + TestSuiteEnvironment.getHttpPort(); - private static final String WAR_URL = "http://" + SERVER_HOST_PORT + "/ejb3security/"; - - @BeforeClass - public static void beforeClass() { - AssumeTestGroupUtil.assumeElytronProfileTestsEnabled(); - } - - /* - * Authentication Scenarios - * - * Client -> Bean - * Client -> Bean -> Bean - * Client -> Bean (Re-auth) -> Bean - * Client -> Servlet -> Bean - * Client -> Servlet (Re-auth) -> Bean - * Client -> Servlet -> Bean -> Bean - * Client -> Servlet -> Bean (Re Auth) -> Bean - */ - - protected static WebArchive getDeployment() { - final Package currentPackage = AbstractAuthenticationTestCase.class.getPackage(); - // using JavaArchive doesn't work, because of a bug in Arquillian, it only deploys wars properly - final WebArchive war = ShrinkWrap.create(WebArchive.class, "ejb3security.war") - .addPackage(WhoAmIBean.class.getPackage()).addPackage(EntryBean.class.getPackage()) - .addClasses(WhoAmI.class, Util.class, Entry.class, TestSuiteEnvironment.class) - .addClasses(WhoAmIServlet.class, AbstractAuthenticationTestCase.class, AbstractSecurityDomainSetup.class) - .addAsResource(currentPackage, "users.properties", "users.properties") - .addAsResource(currentPackage, "roles.properties", "roles.properties") - .addAsWebInfResource(currentPackage, "web.xml", "web.xml") - .addAsWebInfResource(currentPackage, "jboss-web.xml", "jboss-web.xml") - .addAsWebInfResource(currentPackage, "jboss-ejb3.xml", "jboss-ejb3.xml") - .addAsManifestResource(new StringAsset("Manifest-Version: 1.0\nDependencies: org.jboss.as.controller-client,org.jboss.dmr\n"), "MANIFEST.MF") - .addAsManifestResource(createPermissionsXmlAsset( - // login module needs to modify pricipal to commit logging in - new AuthPermission("modifyPrincipals"), - // AbstractAuthenticationTestCase#testAuthenticatedCall calls org.jboss.security.client.JBossSecurityClient#performSimpleLogin - new RuntimePermission("org.jboss.security.getSecurityContext"), - new RuntimePermission("org.jboss.security.SecurityContextFactory.createSecurityContext"), - new RuntimePermission("org.jboss.security.SecurityContextFactory.createUtil"), - new RuntimePermission("org.jboss.security.plugins.JBossSecurityContext.setSubjectInfo"), - new RuntimePermission("org.jboss.security.setSecurityContext"), - // AbstractAuthenticationTestCase#execute calls ExecutorService#shutdownNow - new RuntimePermission("modifyThread"), - // AbstractAuthenticationTestCase#execute calls sun.net.www.http.HttpClient#openServer under the hood - new SocketPermission(SERVER_HOST_PORT, "connect,resolve"), - // TestSuiteEnvironment reads system properties - new PropertyPermission("management.address", "read"), - new PropertyPermission("node0", "read"), - new PropertyPermission("jboss.http.port", "read")), - "permissions.xml"); - war.addPackage(CommonCriteria.class.getPackage()); - return war; - } - - @EJB(mappedName = "java:global/ejb3security/WhoAmIBean!org.jboss.as.test.integration.ejb.security.WhoAmI") - private WhoAmI whoAmIBean; - - @EJB(mappedName = "java:global/ejb3security/EntryBean!org.jboss.as.test.integration.ejb.security.Entry") - private Entry entryBean; - - @Test - public void testAuthentication() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "password1"); - lc.login(); - try { - String response = entryBean.whoAmI(); - assertEquals("user1", response); - } finally { - lc.logout(); - } - } - - @Test - public void testAuthentication_BadPwd() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "wrong_password"); - lc.login(); - try { - entryBean.whoAmI(); - fail("Expected EJBAccessException due to bad password not thrown. (EJB 3.1 FR 17.6.9)"); - } catch (EJBAccessException ignored) { - } finally { - lc.logout(); - } - } - - @Test - public void testAuthentication_TwoBeans() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "password1"); - lc.login(); - try { - String[] response = entryBean.doubleWhoAmI(); - assertEquals("user1", response[0]); - assertEquals("user1", response[1]); - } finally { - lc.logout(); - } - } - - @Test - public void testAuthentication_TwoBeans_ReAuth() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "password1"); - lc.login(); - try { - String[] response = entryBean.doubleWhoAmI("user2", "password2"); - assertEquals("user1", response[0]); - assertEquals("user2", response[1]); - } finally { - lc.logout(); - } - } - - // TODO - Similar test with first bean @RunAs - does it make sense to also manually switch? - @Test - public void testAuthentication_TwoBeans_ReAuth_BadPwd() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "password1"); - lc.login(); - try { - entryBean.doubleWhoAmI("user2", "wrong_password"); - fail("Expected EJBAccessException due to bad password not thrown. (EJB 3.1 FR 17.6.9)"); - } catch (EJBAccessException ignored) { - } finally { - lc.logout(); - } - } - - @Test - public void testAuthenticatedCall() throws Exception { - // TODO: this is not spec - final SecurityClient client = SecurityClientFactory.getSecurityClient(); - client.setSimple("user1", "password1"); - client.login(); - try { - try { - final Principal principal = whoAmIBean.getCallerPrincipal(); - assertNotNull("EJB 3.1 FR 17.6.5 The container must never return a null from the getCallerPrincipal method.", - principal); - assertEquals("user1", principal.getName()); - } catch (RuntimeException e) { - e.printStackTrace(); - fail("EJB 3.1 FR 17.6.5 The EJB container must provide the caller’s security context information during the execution of a business method (" - + e.getMessage() + ")"); - } - } finally { - client.logout(); - } - } - - @Test - public void testUnauthenticated() throws Exception { - try { - final Principal principal = whoAmIBean.getCallerPrincipal(); - assertNotNull("EJB 3.1 FR 17.6.5 The container must never return a null from the getCallerPrincipal method.", - principal); - // TODO: where is 'anonymous' configured? - assertEquals("anonymous", principal.getName()); - } catch (RuntimeException e) { - e.printStackTrace(); - fail("EJB 3.1 FR 17.6.5 The EJB container must provide the caller’s security context information during the execution of a business method (" - + e.getMessage() + ")"); - } - } - - @Test - public void testAuthentication_ViaServlet() throws Exception { - final String result = getWhoAmI("?method=whoAmI"); - assertEquals("user1", result); - } - - @Test - public void testAuthentication_ReAuth_ViaServlet() throws Exception { - final String result = getWhoAmI("?method=whoAmI&username=user2&password=password2"); - assertEquals("user2", result); - } - - @Test - public void testAuthentication_TwoBeans_ViaServlet() throws Exception { - final String result = getWhoAmI("?method=doubleWhoAmI"); - assertEquals("user1,user1", result); - } - - @Test - public void testAuthentication_TwoBeans_ReAuth_ViaServlet() throws Exception { - final String result = getWhoAmI("?method=doubleWhoAmI&username=user2&password=password2"); - assertEquals("user1,user2", result); - } - - @Test - public void testAuthentication_TwoBeans_ReAuth__BadPwd_ViaServlet() throws Exception { - try { - getWhoAmI("?method=doubleWhoAmI&username=user2&password=bad_password"); - fail("Expected IOException"); - } catch (IOException e) { - assertTrue(e.getMessage().contains("javax.ejb.EJBAccessException")); - } - } - - /* - * isCallerInRole Scenarios - */ - - @Test - public void testICIRSingle() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "password1"); - lc.login(); - try { - assertTrue(entryBean.doIHaveRole("Users")); - assertTrue(entryBean.doIHaveRole("Role1")); - assertFalse(entryBean.doIHaveRole("Role2")); - } finally { - lc.logout(); - } - } - - @Test - public void testICIR_TwoBeans() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "password1"); - lc.login(); - try { - boolean[] response; - response = entryBean.doubleDoIHaveRole("Users"); - assertTrue(response[0]); - assertTrue(response[1]); - - response = entryBean.doubleDoIHaveRole("Role1"); - assertTrue(response[0]); - assertTrue(response[1]); - - response = entryBean.doubleDoIHaveRole("Role2"); - assertFalse(response[0]); - assertFalse(response[1]); - } finally { - lc.logout(); - } - } - - @Test - public void testICIR_TwoBeans_ReAuth() throws Exception { - LoginContext lc = Util.getCLMLoginContext("user1", "password1"); - lc.login(); - try { - boolean[] response; - response = entryBean.doubleDoIHaveRole("Users", "user2", "password2"); - assertTrue(response[0]); - assertTrue(response[1]); - - response = entryBean.doubleDoIHaveRole("Role1", "user2", "password2"); - assertTrue(response[0]); - assertFalse(response[1]); - - response = entryBean.doubleDoIHaveRole("Role2", "user2", "password2"); - assertFalse(response[0]); - assertTrue(response[1]); - } finally { - lc.logout(); - } - } - - private static String read(final InputStream in) throws IOException { - final ByteArrayOutputStream out = new ByteArrayOutputStream(); - int b; - while ((b = in.read()) != -1) { - out.write(b); - } - return out.toString(); - } - - private static String processResponse(HttpURLConnection conn) throws IOException { - int responseCode = conn.getResponseCode(); - if (responseCode != HttpURLConnection.HTTP_OK) { - final InputStream err = conn.getErrorStream(); - try { - String response = err != null ? read(err) : null; - throw new IOException(String.format("HTTP Status %d Response: %s", responseCode, response)); - } finally { - if (err != null) { - err.close(); - } - } - } - final InputStream in = conn.getInputStream(); - try { - return read(in); - } finally { - in.close(); - } - } - - - private String getWhoAmI(String queryString) throws Exception { - return get(WAR_URL + "whoAmI" + queryString, "user1", "password1", 10, SECONDS); - } - - public static String get(final String spec, final String username, final String password, final long timeout, final TimeUnit unit) throws IOException, TimeoutException { - final URL url = new URL(spec); - Callable task = new Callable() { - @Override - public String call() throws IOException { - final HttpURLConnection conn = (HttpURLConnection) url.openConnection(); - if (username != null) { - final String userpassword = username + ":" + password; - final String basicAuthorization = java.util.Base64.getEncoder().encodeToString(userpassword.getBytes()); - conn.setRequestProperty("Authorization", "Basic " + basicAuthorization); - } - conn.setDoInput(true); - return processResponse(conn); - } - }; - return execute(task, timeout, unit); - } - - private static String execute(final Callable task, final long timeout, final TimeUnit unit) throws TimeoutException, IOException { - final ExecutorService executor = Executors.newSingleThreadExecutor(); - final Future result = executor.submit(task); - try { - return result.get(timeout, unit); - } catch (TimeoutException e) { - result.cancel(true); - throw e; - } catch (InterruptedException e) { - // should not happen - throw new RuntimeException(e); - } catch (ExecutionException e) { - // by virtue of the Callable redefinition above I can cast - throw new IOException(e); - } finally { - executor.shutdownNow(); - try { - executor.awaitTermination(timeout, unit); - } catch (InterruptedException e) { - // ignore - } - } - } - - - @Test - public void testICIR_ViaServlet() throws Exception { - String result = getWhoAmI("?method=doIHaveRole&role=Users"); - assertEquals("true", result); - result = getWhoAmI("?method=doIHaveRole&role=Role1"); - assertEquals("true", result); - result = getWhoAmI("?method=doIHaveRole&role=Role2"); - assertEquals("false", result); - } - - @Test - public void testICIR_ReAuth_ViaServlet() throws Exception { - String result = getWhoAmI("?method=doIHaveRole&role=Users&username=user2&password=password2"); - assertEquals("true", result); - result = getWhoAmI("?method=doIHaveRole&role=Role1&username=user2&password=password2"); - assertEquals("false", result); - result = getWhoAmI("?method=doIHaveRole&role=Role2&username=user2&password=password2"); - assertEquals("true", result); - } - - @Test - public void testICIR_TwoBeans_ViaServlet() throws Exception { - String result = getWhoAmI("?method=doubleDoIHaveRole&role=Users"); - assertEquals("true,true", result); - result = getWhoAmI("?method=doubleDoIHaveRole&role=Role1"); - assertEquals("true,true", result); - result = getWhoAmI("?method=doubleDoIHaveRole&role=Role2"); - assertEquals("false,false", result); - } - - @Test - public void testICIR_TwoBeans_ReAuth_ViaServlet() throws Exception { - String result = getWhoAmI("?method=doubleDoIHaveRole&role=Users&username=user2&password=password2"); - assertEquals("true,true", result); - result = getWhoAmI("?method=doubleDoIHaveRole&role=Role1&username=user2&password=password2"); - assertEquals("true,false", result); - result = getWhoAmI("?method=doubleDoIHaveRole&role=Role2&username=user2&password=password2"); - assertEquals("false,true", result); - } - - /* - * isCallerInRole Scenarios with @RunAs Defined - * - * EJB 3.1 FR 17.2.5.2 isCallerInRole tests the principal that represents the caller of the enterprise bean, not the - * principal that corresponds to the run-as security identity for the bean. - */ - - // 17.2.5 - Programatic Access to Caller's Security Context - // Include tests for methods not implemented to pick up if later they are implemented. - // 17.2.5.1 - Use of getCallerPrincipal - // 17.6.5 - Security Methods on EJBContext - // 17.2.5.2 - Use of isCallerInRole - // 17.2.5.3 - Declaration of Security Roles Referenced from the Bean's Code - // 17.3.1 - Security Roles - // 17.3.2.1 - Specification of Method Permissions with Metadata Annotation - // 17.3.2.2 - Specification of Method Permissions in the Deployment Descriptor - // 17.3.2.3 - Unspecified Method Permission - // 17.3.3 - Linking Security Role References to Security Roles - // 17.3.4 - Specification on Security Identities in the Deployment Descriptor - // (Include permutations for overrides esp where deployment descriptor removes access) - // 17.3.4.1 - Run-as - // 17.5 EJB Client Responsibilities - // A transactional client can not change principal association within transaction. - // A session bean client must not change the principal association for the duration of the communication. - // If transactional requests within a single transaction arrive from multiple clients all must be associated - // with the same security context. - - // 17.6.3 - Security Mechanisms - // 17.6.4 - Passing Principals on EJB Calls - // 17.6.6 - Secure Access to Resource Managers - // 17.6.7 - Principal Mapping - // 17.6.9 - Runtime Security Enforcement - // 17.6.10 - Audit Trail -} diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationElytronTestCase.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationElytronTestCase.java deleted file mode 100644 index 19a8d76a5922..000000000000 --- a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationElytronTestCase.java +++ /dev/null @@ -1,33 +0,0 @@ -package org.jboss.as.test.integration.ejb.security; - -import org.jboss.arquillian.container.test.api.Deployment; -import org.jboss.arquillian.junit.Arquillian; -import org.jboss.as.arquillian.api.ServerSetup; -import org.jboss.as.test.categories.CommonCriteria; -import org.jboss.shrinkwrap.api.Archive; -import org.jboss.shrinkwrap.api.ShrinkWrap; -import org.jboss.shrinkwrap.api.spec.WebArchive; -import org.junit.Assume; -import org.junit.BeforeClass; -import org.junit.experimental.categories.Category; -import org.junit.runner.RunWith; - -@RunWith(Arquillian.class) -@ServerSetup({EjbElytronDomainSetup.class}) -@Category(CommonCriteria.class) -public class AuthenticationElytronTestCase extends AbstractAuthenticationTestCase { - - @BeforeClass - public static void onlyIfElytronPropertySet() { - Assume.assumeTrue(System.getProperty("elytron") != null); - } - - @Deployment - public static Archive deployment() { - if (System.getProperty("elytron") == null) { // blank archive (cannot skip) - return ShrinkWrap.create(WebArchive.class, "ejb3security.war"); - } - return getDeployment().addClasses(AuthenticationElytronTestCase.class, EjbElytronDomainSetup.class); - } - -} diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationTestCase.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationTestCase.java index 8d2aefdc3e5f..4c503ebeebf2 100644 --- a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationTestCase.java +++ b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AuthenticationTestCase.java @@ -1,21 +1,493 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright (c) 2011, Red Hat, Inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ package org.jboss.as.test.integration.ejb.security; +import static java.util.concurrent.TimeUnit.SECONDS; +import static org.jboss.as.test.shared.integration.ejb.security.PermissionUtils.createPermissionsXmlAsset; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.net.HttpURLConnection; +import java.net.SocketPermission; +import java.net.URL; +import java.security.Principal; +import java.util.PropertyPermission; +import java.util.concurrent.Callable; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.Future; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; +import org.jboss.logging.Logger; +import javax.ejb.EJB; +import javax.ejb.EJBAccessException; +import javax.security.auth.AuthPermission; +import javax.security.auth.login.LoginContext; + import org.jboss.arquillian.container.test.api.Deployment; import org.jboss.arquillian.junit.Arquillian; import org.jboss.as.arquillian.api.ServerSetup; import org.jboss.as.test.categories.CommonCriteria; +import org.jboss.as.test.integration.ejb.security.authentication.EntryBean; +import org.jboss.as.test.integration.ejb.security.base.WhoAmIBean; +import org.jboss.as.test.integration.security.common.AbstractSecurityDomainSetup; +import org.jboss.as.test.shared.TestSuiteEnvironment; +import org.jboss.as.test.shared.integration.ejb.security.Util; +import org.jboss.security.client.SecurityClient; +import org.jboss.security.client.SecurityClientFactory; import org.jboss.shrinkwrap.api.Archive; +import org.jboss.shrinkwrap.api.ShrinkWrap; +import org.jboss.shrinkwrap.api.asset.StringAsset; +import org.jboss.shrinkwrap.api.spec.WebArchive; +import org.junit.Test; import org.junit.experimental.categories.Category; import org.junit.runner.RunWith; +/** + * Test case to hold the authentication scenarios, these range from calling a servlet which calls a bean to calling a bean which + * calls another bean to calling a bean which re-authenticated before calling another bean. + * + * @author Carlo de Wolf + * @author Darran Lofthouse + */ @RunWith(Arquillian.class) @ServerSetup({EjbSecurityDomainSetup.class}) @Category(CommonCriteria.class) -public class AuthenticationTestCase extends AbstractAuthenticationTestCase { +public class AuthenticationTestCase { + + private static final String SERVER_HOST_PORT = TestSuiteEnvironment.getServerAddress() + ":" + TestSuiteEnvironment.getHttpPort(); + private static final String WAR_URL = "http://" + SERVER_HOST_PORT + "/ejb3security/"; + + private static final Logger log = Logger.getLogger(AuthenticationTestCase.class.getName()); + + /* + * Authentication Scenarios + * + * Client -> Bean + * Client -> Bean -> Bean + * Client -> Bean (Re-auth) -> Bean + * Client -> Servlet -> Bean + * Client -> Servlet (Re-auth) -> Bean + * Client -> Servlet -> Bean -> Bean + * Client -> Servlet -> Bean (Re Auth) -> Bean + */ @Deployment public static Archive deployment() { - return getDeployment().addClasses(AuthenticationTestCase.class, EjbSecurityDomainSetup.class); + final Package currentPackage = AuthenticationTestCase.class.getPackage(); + // using JavaArchive doesn't work, because of a bug in Arquillian, it only deploys wars properly + final WebArchive war = ShrinkWrap.create(WebArchive.class, "ejb3security.war") + .addPackage(WhoAmIBean.class.getPackage()).addPackage(EntryBean.class.getPackage()) + .addClass(WhoAmI.class).addClass(Util.class).addClass(Entry.class) + .addClasses(WhoAmIServlet.class, AuthenticationTestCase.class) + .addClasses(AbstractSecurityDomainSetup.class, EjbSecurityDomainSetup.class) + .addClass(TestSuiteEnvironment.class) + .addAsResource(currentPackage, "users.properties", "users.properties") + .addAsResource(currentPackage, "roles.properties", "roles.properties") + .addAsWebInfResource(currentPackage, "web.xml", "web.xml") + .addAsWebInfResource(currentPackage, "jboss-web.xml", "jboss-web.xml") + .addAsWebInfResource(currentPackage, "jboss-ejb3.xml", "jboss-ejb3.xml") + .addAsManifestResource(new StringAsset("Manifest-Version: 1.0\nDependencies: org.jboss.as.controller-client,org.jboss.dmr\n"), "MANIFEST.MF") + .addAsManifestResource(createPermissionsXmlAsset( + // login module needs to modify pricipal to commit logging in + new AuthPermission("modifyPrincipals"), + // AuthenticationTestCase#testAuthenticatedCall calls org.jboss.security.client.JBossSecurityClient#performSimpleLogin + new RuntimePermission("org.jboss.security.getSecurityContext"), + new RuntimePermission("org.jboss.security.SecurityContextFactory.createSecurityContext"), + new RuntimePermission("org.jboss.security.SecurityContextFactory.createUtil"), + new RuntimePermission("org.jboss.security.plugins.JBossSecurityContext.setSubjectInfo"), + new RuntimePermission("org.jboss.security.setSecurityContext"), + // AuthenticationTestCase#execute calls ExecutorService#shutdownNow + new RuntimePermission("modifyThread"), + // AuthenticationTestCase#execute calls sun.net.www.http.HttpClient#openServer under the hood + new SocketPermission(SERVER_HOST_PORT, "connect,resolve"), + // TestSuiteEnvironment reads system properties + new PropertyPermission("management.address", "read"), + new PropertyPermission("node0", "read"), + new PropertyPermission("jboss.http.port", "read")), + "permissions.xml"); + war.addPackage(CommonCriteria.class.getPackage()); + return war; + } + + @EJB(mappedName = "java:global/ejb3security/WhoAmIBean!org.jboss.as.test.integration.ejb.security.WhoAmI") + private WhoAmI whoAmIBean; + + @EJB(mappedName = "java:global/ejb3security/EntryBean!org.jboss.as.test.integration.ejb.security.Entry") + private Entry entryBean; + + @Test + public void testAuthentication() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "password1"); + lc.login(); + try { + String response = entryBean.whoAmI(); + assertEquals("user1", response); + } finally { + lc.logout(); + } + } + + @Test + public void testAuthentication_BadPwd() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "wrong_password"); + lc.login(); + try { + entryBean.whoAmI(); + fail("Expected EJBAccessException due to bad password not thrown. (EJB 3.1 FR 17.6.9)"); + } catch (EJBAccessException ignored) { + } finally { + lc.logout(); + } + } + + @Test + public void testAuthentication_TwoBeans() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "password1"); + lc.login(); + try { + String[] response = entryBean.doubleWhoAmI(); + assertEquals("user1", response[0]); + assertEquals("user1", response[1]); + } finally { + lc.logout(); + } + } + + @Test + public void testAuthentication_TwoBeans_ReAuth() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "password1"); + lc.login(); + try { + String[] response = entryBean.doubleWhoAmI("user2", "password2"); + assertEquals("user1", response[0]); + assertEquals("user2", response[1]); + } finally { + lc.logout(); + } + } + + // TODO - Similar test with first bean @RunAs - does it make sense to also manually switch? + @Test + public void testAuthentication_TwoBeans_ReAuth_BadPwd() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "password1"); + lc.login(); + try { + entryBean.doubleWhoAmI("user2", "wrong_password"); + fail("Expected EJBAccessException due to bad password not thrown. (EJB 3.1 FR 17.6.9)"); + } catch (EJBAccessException ignored) { + } finally { + lc.logout(); + } + } + + @Test + public void testAuthenticatedCall() throws Exception { + // TODO: this is not spec + final SecurityClient client = SecurityClientFactory.getSecurityClient(); + client.setSimple("user1", "password1"); + client.login(); + try { + try { + final Principal principal = whoAmIBean.getCallerPrincipal(); + assertNotNull("EJB 3.1 FR 17.6.5 The container must never return a null from the getCallerPrincipal method.", + principal); + assertEquals("user1", principal.getName()); + } catch (RuntimeException e) { + e.printStackTrace(); + fail("EJB 3.1 FR 17.6.5 The EJB container must provide the caller’s security context information during the execution of a business method (" + + e.getMessage() + ")"); + } + } finally { + client.logout(); + } + } + + @Test + public void testUnauthenticated() throws Exception { + try { + final Principal principal = whoAmIBean.getCallerPrincipal(); + assertNotNull("EJB 3.1 FR 17.6.5 The container must never return a null from the getCallerPrincipal method.", + principal); + // TODO: where is 'anonymous' configured? + assertEquals("anonymous", principal.getName()); + } catch (RuntimeException e) { + e.printStackTrace(); + fail("EJB 3.1 FR 17.6.5 The EJB container must provide the caller’s security context information during the execution of a business method (" + + e.getMessage() + ")"); + } + } + + @Test + public void testAuthentication_ViaServlet() throws Exception { + final String result = getWhoAmI("?method=whoAmI"); + assertEquals("user1", result); + } + + @Test + public void testAuthentication_ReAuth_ViaServlet() throws Exception { + final String result = getWhoAmI("?method=whoAmI&username=user2&password=password2"); + assertEquals("user2", result); + } + + @Test + public void testAuthentication_TwoBeans_ViaServlet() throws Exception { + final String result = getWhoAmI("?method=doubleWhoAmI"); + assertEquals("user1,user1", result); + } + + @Test + public void testAuthentication_TwoBeans_ReAuth_ViaServlet() throws Exception { + final String result = getWhoAmI("?method=doubleWhoAmI&username=user2&password=password2"); + assertEquals("user1,user2", result); + } + + @Test + public void testAuthentication_TwoBeans_ReAuth__BadPwd_ViaServlet() throws Exception { + try { + getWhoAmI("?method=doubleWhoAmI&username=user2&password=bad_password"); + fail("Expected IOException"); + } catch (IOException e) { + assertTrue(e.getMessage().contains("javax.ejb.EJBAccessException")); + } + } + + /* + * isCallerInRole Scenarios + */ + + @Test + public void testICIRSingle() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "password1"); + lc.login(); + try { + assertTrue(entryBean.doIHaveRole("Users")); + assertTrue(entryBean.doIHaveRole("Role1")); + assertFalse(entryBean.doIHaveRole("Role2")); + } finally { + lc.logout(); + } + } + + @Test + public void testICIR_TwoBeans() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "password1"); + lc.login(); + try { + boolean[] response; + response = entryBean.doubleDoIHaveRole("Users"); + assertTrue(response[0]); + assertTrue(response[1]); + + response = entryBean.doubleDoIHaveRole("Role1"); + assertTrue(response[0]); + assertTrue(response[1]); + + response = entryBean.doubleDoIHaveRole("Role2"); + assertFalse(response[0]); + assertFalse(response[1]); + } finally { + lc.logout(); + } + } + + @Test + public void testICIR_TwoBeans_ReAuth() throws Exception { + LoginContext lc = Util.getCLMLoginContext("user1", "password1"); + lc.login(); + try { + boolean[] response; + response = entryBean.doubleDoIHaveRole("Users", "user2", "password2"); + assertTrue(response[0]); + assertTrue(response[1]); + + response = entryBean.doubleDoIHaveRole("Role1", "user2", "password2"); + assertTrue(response[0]); + assertFalse(response[1]); + + response = entryBean.doubleDoIHaveRole("Role2", "user2", "password2"); + assertFalse(response[0]); + assertTrue(response[1]); + } finally { + lc.logout(); + } + } + + private static String read(final InputStream in) throws IOException { + final ByteArrayOutputStream out = new ByteArrayOutputStream(); + int b; + while ((b = in.read()) != -1) { + out.write(b); + } + return out.toString(); + } + + private static String processResponse(HttpURLConnection conn) throws IOException { + int responseCode = conn.getResponseCode(); + if (responseCode != HttpURLConnection.HTTP_OK) { + final InputStream err = conn.getErrorStream(); + try { + String response = err != null ? read(err) : null; + throw new IOException(String.format("HTTP Status %d Response: %s", responseCode, response)); + } finally { + if (err != null) { + err.close(); + } + } + } + final InputStream in = conn.getInputStream(); + try { + return read(in); + } finally { + in.close(); + } + } + + + private String getWhoAmI(String queryString) throws Exception { + return get(WAR_URL + "whoAmI" + queryString, "user1", "password1", 10, SECONDS); + } + + public static String get(final String spec, final String username, final String password, final long timeout, final TimeUnit unit) throws IOException, TimeoutException { + final URL url = new URL(spec); + Callable task = new Callable() { + @Override + public String call() throws IOException { + final HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + if (username != null) { + final String userpassword = username + ":" + password; + final String basicAuthorization = java.util.Base64.getEncoder().encodeToString(userpassword.getBytes()); + conn.setRequestProperty("Authorization", "Basic " + basicAuthorization); + } + conn.setDoInput(true); + return processResponse(conn); + } + }; + return execute(task, timeout, unit); + } + + private static String execute(final Callable task, final long timeout, final TimeUnit unit) throws TimeoutException, IOException { + final ExecutorService executor = Executors.newSingleThreadExecutor(); + final Future result = executor.submit(task); + try { + return result.get(timeout, unit); + } catch (TimeoutException e) { + result.cancel(true); + throw e; + } catch (InterruptedException e) { + // should not happen + throw new RuntimeException(e); + } catch (ExecutionException e) { + // by virtue of the Callable redefinition above I can cast + throw new IOException(e); + } finally { + executor.shutdownNow(); + try { + executor.awaitTermination(timeout, unit); + } catch (InterruptedException e) { + // ignore + } + } + } + + + @Test + public void testICIR_ViaServlet() throws Exception { + String result = getWhoAmI("?method=doIHaveRole&role=Users"); + assertEquals("true", result); + result = getWhoAmI("?method=doIHaveRole&role=Role1"); + assertEquals("true", result); + result = getWhoAmI("?method=doIHaveRole&role=Role2"); + assertEquals("false", result); } + @Test + public void testICIR_ReAuth_ViaServlet() throws Exception { + String result = getWhoAmI("?method=doIHaveRole&role=Users&username=user2&password=password2"); + assertEquals("true", result); + result = getWhoAmI("?method=doIHaveRole&role=Role1&username=user2&password=password2"); + assertEquals("false", result); + result = getWhoAmI("?method=doIHaveRole&role=Role2&username=user2&password=password2"); + assertEquals("true", result); + } + + @Test + public void testICIR_TwoBeans_ViaServlet() throws Exception { + String result = getWhoAmI("?method=doubleDoIHaveRole&role=Users"); + assertEquals("true,true", result); + result = getWhoAmI("?method=doubleDoIHaveRole&role=Role1"); + assertEquals("true,true", result); + result = getWhoAmI("?method=doubleDoIHaveRole&role=Role2"); + assertEquals("false,false", result); + } + + @Test + public void testICIR_TwoBeans_ReAuth_ViaServlet() throws Exception { + String result = getWhoAmI("?method=doubleDoIHaveRole&role=Users&username=user2&password=password2"); + assertEquals("true,true", result); + result = getWhoAmI("?method=doubleDoIHaveRole&role=Role1&username=user2&password=password2"); + assertEquals("true,false", result); + result = getWhoAmI("?method=doubleDoIHaveRole&role=Role2&username=user2&password=password2"); + assertEquals("false,true", result); + } + + /* + * isCallerInRole Scenarios with @RunAs Defined + * + * EJB 3.1 FR 17.2.5.2 isCallerInRole tests the principal that represents the caller of the enterprise bean, not the + * principal that corresponds to the run-as security identity for the bean. + */ + + // 17.2.5 - Programatic Access to Caller's Security Context + // Include tests for methods not implemented to pick up if later they are implemented. + // 17.2.5.1 - Use of getCallerPrincipal + // 17.6.5 - Security Methods on EJBContext + // 17.2.5.2 - Use of isCallerInRole + // 17.2.5.3 - Declaration of Security Roles Referenced from the Bean's Code + // 17.3.1 - Security Roles + // 17.3.2.1 - Specification of Method Permissions with Metadata Annotation + // 17.3.2.2 - Specification of Method Permissions in the Deployment Descriptor + // 17.3.2.3 - Unspecified Method Permission + // 17.3.3 - Linking Security Role References to Security Roles + // 17.3.4 - Specification on Security Identities in the Deployment Descriptor + // (Include permutations for overrides esp where deployment descriptor removes access) + // 17.3.4.1 - Run-as + // 17.5 EJB Client Responsibilities + // A transactional client can not change principal association within transaction. + // A session bean client must not change the principal association for the duration of the communication. + // If transactional requests within a single transaction arrive from multiple clients all must be associated + // with the same security context. + + // 17.6.3 - Security Mechanisms + // 17.6.4 - Passing Principals on EJB Calls + // 17.6.6 - Secure Access to Resource Managers + // 17.6.7 - Principal Mapping + // 17.6.9 - Runtime Security Enforcement + // 17.6.10 - Audit Trail } diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/EjbElytronDomainSetup.java b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/EjbElytronDomainSetup.java deleted file mode 100644 index 94bc57180de1..000000000000 --- a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/EjbElytronDomainSetup.java +++ /dev/null @@ -1,239 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2016, Red Hat, Inc., and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. - * - * This is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this software; if not, write to the Free - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. - */ - -package org.jboss.as.test.integration.ejb.security; - -import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.*; - -import java.io.File; -import java.util.LinkedList; -import java.util.List; - -import org.jboss.as.arquillian.container.ManagementClient; -import org.jboss.as.controller.PathAddress; -import org.jboss.as.controller.client.ModelControllerClient; -import org.jboss.as.controller.descriptions.ModelDescriptionConstants; -import org.jboss.as.controller.operations.common.Util; -import org.jboss.as.test.integration.security.common.AbstractSecurityDomainSetup; -import org.jboss.dmr.ModelNode; -import org.junit.Assume; -import org.wildfly.extension.elytron.ElytronExtension; - -/** - * Utility methods to create/remove simple security domains - * - * @author Jan Kalina - */ -public class EjbElytronDomainSetup extends AbstractSecurityDomainSetup { - - private PathAddress realmAddress; - - private PathAddress domainAddress; - - private PathAddress saslAuthenticationAddress; - - private PathAddress remotingConnectorAddress; - - private PathAddress ejbDomainAddress; - - private PathAddress ejbRemoteAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, "ejb3") - .append("service", "remote"); - - private PathAddress httpAuthenticationAddress; - - private PathAddress undertowDomainAddress; - - protected String getSecurityDomainName() { - return "ejb3-tests"; - } - - protected String getSecurityRealmName() { - return "UsersRoles"; - } - - protected String getUndertowDomainName() { - return "ejb3-tests"; - } - - protected String getEjbDomainName() { - return "ejb3-tests"; - } - - protected String getSaslAuthenticationName() { - return "ejb3-tests"; - } - - protected String getRemotingConnectorName() { - return "ejb3-tests"; - } - - protected String getHttpAuthenticationName() { - return "ejb3-tests"; - } - - protected String getUsersFile() { - return new File(EjbSecurityDomainSetup.class.getResource("users.properties").getFile()).getAbsolutePath(); - } - - protected String getGroupsFile() { - return new File(EjbSecurityDomainSetup.class.getResource("roles.properties").getFile()).getAbsolutePath(); - } - - protected boolean isUsersFilePlain() { - return true; - } - - @Override - public void setup(final ManagementClient managementClient, final String containerId) throws Exception { - System.out.println("elytron setup..."); - Assume.assumeTrue(System.getProperty("elytron") != null); - System.out.println("...elytron setup..."); - - - realmAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, ElytronExtension.SUBSYSTEM_NAME) - .append("properties-realm", getSecurityRealmName()); - - domainAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, ElytronExtension.SUBSYSTEM_NAME) - .append("security-domain", getSecurityDomainName()); - - saslAuthenticationAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, ElytronExtension.SUBSYSTEM_NAME) - .append("sasl-authentication-factory", getSaslAuthenticationName()); - - remotingConnectorAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, "remoting") - .append("http-connector", getRemotingConnectorName()); - - ejbDomainAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, "ejb3") - .append("application-security-domain", getEjbDomainName()); - - httpAuthenticationAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, ElytronExtension.SUBSYSTEM_NAME) - .append("http-authentication-factory", getHttpAuthenticationName()); - - undertowDomainAddress = PathAddress.pathAddress() - .append(SUBSYSTEM, "undertow") - .append("application-security-domain", getUndertowDomainName()); - - final ModelNode compositeOp = new ModelNode(); - compositeOp.get(OP).set(ModelDescriptionConstants.COMPOSITE); - compositeOp.get(OP_ADDR).setEmptyList(); - - ModelNode steps = compositeOp.get(STEPS); - - // /subsystem=elytron/properties-realm=UsersRoles:add(users-properties={path=users.properties},groups-properties={path=roles.properties}) - ModelNode addRealm = Util.createAddOperation(realmAddress); - addRealm.get("users-properties").get("path").set(getUsersFile()); - addRealm.get("groups-properties").get("path").set(getGroupsFile()); - addRealm.get("plain-text").set(isUsersFilePlain()); // not hashed - steps.add(addRealm); - - // /subsystem=elytron/security-domain=EjbDomain:add(default-realm=UsersRoles, realms=[{realm=UsersRoles}]) - ModelNode addDomain = Util.createAddOperation(domainAddress); - addDomain.get("permission-mapper").set("default-permission-mapper"); // LoginPermission for everyone (defined in standalone-elytron.xml) - addDomain.get("default-realm").set(getSecurityRealmName()); - addDomain.get("realms").get(0).get("realm").set(getSecurityRealmName()); - addDomain.get("realms").get(0).get("role-decoder").set("groups-to-roles"); // use attribute "groups" as roles (defined in standalone-elytron.xml) - steps.add(addDomain); - - // /subsystem=elytron/sasl-authentication-factory=ejb3-tests-auth-fac:add(sasl-server-factory=configured,security-domain=EjbDomain,mechanism-configurations=[{mechanism-name=BASIC}]) - ModelNode addSaslAuthentication = Util.createAddOperation(saslAuthenticationAddress); - addSaslAuthentication.get("sasl-server-factory").set("configured"); - addSaslAuthentication.get("security-domain").set(getSecurityDomainName()); - addSaslAuthentication.get("mechanism-configurations").get(0).get("mechanism-name").set("BASIC"); - steps.add(addSaslAuthentication); - - // remoting connection with sasl-authentication-factory - ModelNode addRemotingConnector = Util.createAddOperation(remotingConnectorAddress); - addRemotingConnector.get("sasl-authentication-factory").set(getSaslAuthenticationName()); - addRemotingConnector.get("connector-ref").set("default"); - // authentication-provider sasl-protocol security-realm server-name - steps.add(addRemotingConnector); - - // /subsystem=ejb3/application-security-domain=ejb3-tests:add(security-domain=ApplicationDomain) - ModelNode addEjbDomain = Util.createAddOperation(ejbDomainAddress); - addEjbDomain.get("security-domain").set(getSecurityDomainName()); - steps.add(addEjbDomain); - - steps.add(Util.getWriteAttributeOperation(ejbRemoteAddress, "connector-ref", "ejb3-tests-connector")); - - ModelNode addHttpAuthentication = Util.createAddOperation(httpAuthenticationAddress); - addHttpAuthentication.get("security-domain").set(getSecurityDomainName()); - addHttpAuthentication.get("http-server-mechanism-factory").set("global"); - addHttpAuthentication.get("mechanism-configurations").get(0).get("mechanism-name").set("BASIC"); - addHttpAuthentication.get("mechanism-configurations").get(0).get("mechanism-realm-configurations").get(0).get("realm-name").set("TestingRealm"); - steps.add(addHttpAuthentication); - - ModelNode addUndertowDomain = Util.createAddOperation(undertowDomainAddress); - addUndertowDomain.get("http-authentication-factory").set(getHttpAuthenticationName()); - steps.add(addUndertowDomain); - - applyUpdate(managementClient.getControllerClient(), compositeOp, false); - System.out.println("...elytron setup"); - } - - @Override - public void tearDown(final ManagementClient managementClient, final String containerId) { - System.out.println("tearing down..."); - Assume.assumeTrue(System.getProperty("elytron") != null); - System.out.println("...tearing down..."); - - List updates = new LinkedList<>(); - updates.add(createRemoveIgnoring(undertowDomainAddress)); - updates.add(createRemoveIgnoring(httpAuthenticationAddress)); - updates.add(Util.getWriteAttributeOperation(ejbRemoteAddress, "connector-ref", "http-remoting-connector")); - updates.add(createRemoveIgnoring(ejbDomainAddress)); - updates.add(createRemoveIgnoring(remotingConnectorAddress)); - updates.add(createRemoveIgnoring(saslAuthenticationAddress)); - updates.add(createRemoveIgnoring(domainAddress)); - updates.add(createRemoveIgnoring(realmAddress)); - - try { - applyUpdates(managementClient.getControllerClient(), updates, true); - } catch (Exception e) { - throw new RuntimeException(e); - } - System.out.println("...tearing down"); - } - - private static ModelNode createRemoveIgnoring(PathAddress address) { - ModelNode remove = Util.createRemoveOperation(address); - // Don't rollback when the AS detects the war needs the module - remove.get(OPERATION_HEADERS, ROLLBACK_ON_RUNTIME_FAILURE).set(false); - remove.get(OPERATION_HEADERS, ALLOW_RESOURCE_SERVICE_RESTART).set(true); - return remove; - } - - protected static void applyUpdates(final ModelControllerClient client, final List updates, boolean allowFailure) { - for (ModelNode update : updates) { - try { - applyUpdate(client, update, allowFailure); - } catch (Exception e) { - throw new RuntimeException(e); - } - } - } -} diff --git a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/users.properties b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/users.properties index 9450b97f5213..fe887b5bb53a 100644 --- a/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/users.properties +++ b/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/users.properties @@ -1,4 +1,3 @@ -#$REALM_NAME=UsersRoles$ user1=password1 user2=password2 admin=admin